Jump to content


Photo

Adding a "Remember Me" to Justin Hagstrom AutoIndexer


  • Please log in to reply
2 replies to this topic

#1 pocahontas13jb

pocahontas13jb
  • New Members
  • Pip
  • Newbie
  • 1 posts

Posted 09 October 2017 - 06:12 AM

My company has use Justin Hagstrom AutoIndexer for years but it was mention that a "Remember Me" function would be handy. I of course took on the task thinking a simple tutorial would be a teaching element and I could help solve the problem. I think I bit off more than I can chew.

 

    $log_login = false;
    if (USE_LOGIN_SYSTEM && isset($_POST['username'], $_POST['password'])
        && $_POST['username'] != '' && $_POST['password'] != '')
    {
        $you = new UserLoggedIn($_POST['username'], sha1($_POST['password']));
        $log_login = true;
        $_SESSION['password'] = sha1($_POST['password']);
        unset($_POST['password']);
        $_SESSION['username'] = $_POST['username'];
        
    }
    else if(USE_LOGIN_SYSTEM && isset($_SESSION['username'], $_SESSION['password']))
    {
        $you = new UserLoggedIn($_SESSION['username'], $_SESSION['password']);
    }
    else if (USE_LOGIN_SYSTEM && isset($_COOKIE['username'], $_COOKIE['password']))
    {
        $you = new UserLoggedIn($_COOKIE['username'], $_COOKIE['password']);
    }
    else
    {
        $you = new User();
        if (MUST_LOGIN_TO_DOWNLOAD && USE_LOGIN_SYSTEM)
        {
            $str = '<p>You must login to view and download files. </p>'
            . '<table border="0" cellpadding="8" cellspacing="0">'
            . '<tr class="paragraph"><td class="autoindex_td">'
            . $you -> login_box() . '</td></tr></table>';
            echo new Display($str);
            die();
        }
    }

if(!empty($_POST["remember"]))
{
setcookie ("user", $_POST["username"], time() + (10 * 365 * 24 * 60 * 60));
setcookie ("pass", $_POST["password"], time() + (10 * 365 * 24 * 60 * 60));
}
else
{
if(isset($_COOKIE["user"]))
{
setcookie ("user", "");
}
if(isset($_COOKIE["pass"]))
{
setcookie ("pass", "");
}
    
 
 
I keep getting an error  Parse error: parse error in /Library/WebServer/Documents/mesc2015/mesc/gatedTEST/index.php on line 663
 
    }
    $log -> add_entry($search_log);
    $str = $dir_list -> __toString();
    echo new Display($str);
}
catch (ExceptionDisplay $e)
{
    echo $e;
}
catch (Exception $e)
{
    echo simple_display($e -> getMessage());
}
 

 

Attached Files



#2 mac_gyver

mac_gyver
  • Staff Alumni
  • Staff Alumni
  • 4,046 posts

Posted 10 October 2017 - 12:49 AM

you should NOT store any static/fixed user information for login purposes in a cookie, since anyone stealing/capturing those cookie values can log in as the actual user until the values get changed and i'm betting you don't want your users to keep changing their usernames and passwords in case someone has managed to get a copy of them.

 

you should also NOT store the username and hashed password in session variables. you should store the user's id (auto-increment database table column) in the session variable and use that id from the session variable to query for any other user information. this will allow the username to be edited by a moderator/admin to your site, without requiring the user to log out and back in again for the edit to take effect.

 

the way to implement a remember me system is to generate a unique random token when the user successfully logs in, store that in the user's row in the database table and store it in the cookie.

 

as part of the login check, if the current visitor is not logged in (no session variable with the user id), check if the cookie holding the token exists. if it does, query to find the row of data with that matches the token value. if a row is found, fetch the user's id and store that in the session variable. all the rest of the code testing that session variable will remain the same.

 

next, using sha1() to hash passwords is not very secure since it is easy with today's personal computers to quickly brute force generate 'rainbow' tables of password values to hashes. you need to use php's password_hash() and password_verify() functions.

 

to convert current user's, add a column to the users table to hold the new hash value. when a user tries to log in, if the user has a value in the new hash column, use that in the login code, using password_verify() to compare the submitted password value with the hash value.  if they don't have a value in the new hash column, use the value from the existing hash column to perform the login check. if the old-hash login is successful, generate a new hash using password_hash(), store that in the new hash column, and clear the existing hash column.


Edited by mac_gyver, 10 October 2017 - 12:54 AM.

multi-purpose programming fool. well written source-code should be self-documenting. well written code should be self-troubleshooting.

#3 ignace

ignace
  • Moderators
  • Now mod flavored
  • 6,419 posts
  • LocationBelgium

Posted 10 October 2017 - 09:59 AM

Maybe it's time to use another maintained system:
https://www.cvedetai...Php-Script.html

Last commit to the code was from november 2012.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users